Cryptography News

- Previous Post >>

Securing your Cloud Storage with a Boxcryptor alternative called EncFS

Cloud storage providers such as Dropbox, Box, One Drive, etc. are increasingly being used for both personal and business reasons. On the Business side, often without the individual's company fully aware of what data is actually leaving their premises.

One of the issue with storing data in the cloud is Security. Looking at Dropbox in recent years, there has been a number of embarrassing blunders which resulted in their customers' data becoming available to anyone who knew where to look. We did blog about it several times: here, here and here. Many other security blogs also related those stories, such as this nice summary from Sophos.

To limit the risks related to storing data in the cloud, an extra layer of security should be added by encrypting that data before it is sent to the cloud and not just rely on the transport encryption. More importantly, the keys/passwords used to encrypt that data should be kept independently of the cloud storage provider. In other words, you should be the only one with access and knowledge of those keys/passwords.

A few years ago we blogged about a tool called Boxcryptor which could help achieving that extra layer of security (see article here ). At that time, they only had one offering called "Boxcryptor Classic". Since then their software and business model has evolved. Although their new business model makes sense, some changes to their software are more problematic.
For instance, they moved to a centralised/cloud model where your keys can be stored, their filename encryption mechanism is flawed as the same filename stored in different folders will produce the same encrypted filename which could leak information about your encryption key. The vendor is aware of this issue but does not consider it important enough to fix it. There is also a questionable mandatory update to their cloud offering if you upgrade to the latest MAC OS X.

Because of these reasons, we decided to look for alternatives.
The requirements were somewhat simple: keys to be stored locally, preferably open source and low cost, had to work with most cloud storage providers, file encryption on the fly through a virtual disk/folder, works on Linux, OS-X and Windows. And a more robust filename encryption mechanism than the one used in Boxcryptor!

The tool we found is called EncFS , it is actually quite an old tool, it has recently been revived on github and there is hope for future versions/improvement. However, even in its current state, it works wonderfully on the latest Mac OS X, El Capitan!
It does however require a bit of manual steps but you then get a very neat solution. It is worth noting that a light security assessment was done a few years ago and it did find some small issues. They should be fixed of course, but none seems too serious and it should be safe to use as is.
There is a great install guide here

  • You need to install brew :
    ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  • Then install encfs:
    brew install homebrew/fuse/encfs
  • If you haven’t installed osxfuse before running the above command, you will be instructed on how to install it
  • As per the guide referenced above, to create/mount an encrypted drive:
    encfs ~/Dropbox/Private ~/Private
  • If you want to name the volume to something more personal, you can use the -o volname parameter:
    encfs ~/Dropbox/Private ~/Private -o volname=“Secure Folder“
  • If you want to automate the creation of those volumes as part of a script, you should use the --standard parameter:
    encfs ~/Dropbox/Private ~/Private --standard -o volname=“Secure Folder“

    With this setup you will get a very similar experience to what you used to be Boxcryptor Classic. For free.

  • - Previous Post >>